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Public Cloud Guide 


About this guide 


This chapter provides information about this guide itself and how to use it. 
This guide explains how to use SUSE Linux Enterprise in public clouds. 


This guide contains the following: 


Chapter 1, Getting started 
SUSE—together with the cloud service providers—offers different products and plans to 


cater to a variety of use cases. Find out which works best for you. 


Chapter 2, Public cloud images 
SUSE offers a variety of different product images for different use cases in partner cloud 


provider frameworks. Learn how to find the image that meets your use case. 


1 Available documentation 


J Note: Online documentation and latest updates 
Documentation for our products is available at https://documentation.suse.com “Ahttp:// 
doc.opensuse.org/ 7, where you can also find the latest updates, and browse or download 
the documentation in various formats. The latest documentation updates can usually be 


found in the English language version. 


In addition, the product documentation is usually available in your installed system under / 


usr/share/doc/manual. 


The following documentation is available for this product: 


Book “Public Cloud Guide” 


This guide explains how to use SUSE Linux Enterprise in public clouds. 
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Improving the documentation 


Your feedback and contributions to this documentation are welcome. The following channels 


for giving feedback are available: 


Service requests and support 


For services and support options available for your product, see http://www.suse.com/sup- 
port/ a. 
To open a service request, you need a SUSE subscription registered at SUSE Customer 


Center. Go to https://scc.suse.com/support/requests 7, log in, and click Create New. 


Bug reports 


Report issues with the documentation at https://bugzilla.suse.com/ 7. A Bugzilla account 
is required. 

To simplify this process, you can use the Report Documentation Bug links next to headlines 
in the HTML version of this document. These preselect the right product and category in 
Bugzilla and add a link to the current section. You can start typing your bug report right 


away. 


Contributions 


Mail 


vii 


To contribute to this documentation, use the Edit Source links next to headlines in the 
HTML version of this document. They take you to the source code on GitHub, where you 


can open a pull request. A GitHub account is required. 


J Note: Edit Source only available for English 


The Edit Source links are only available for the English version of each document. 
For all other languages, use the Report Documentation Bug links instead. 


For more information about the documentation environment used for this documentation, 
see the repository's README at https://github.com/SUSE/doc-public-cloud 2. 


You can also report errors and send feedback concerning the documentation to doc- 
team@suse.com. Include the document title, the product version, and the publication date 
of the document. Additionally, include the relevant section number and title (or provide 


the URL) and provide a concise description of the problem. 
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3 Documentation conventions 


The following notices and typographic conventions are used in this document: 


viii 


/etc/passwd: Directory names and file names 
PLACEHOLDER: Replace PLACEHOLDER with the actual value 
PATH: An environment variable 

ls, --help: Commands, options, and parameters 

user: The name of user or group 

package name: The name of a software package 


Alt , Alt -F1 ; A key to press or a key combination. Keys are shown in uppercase as 


on a keyboard. 


e File, File > Save As: menu items, buttons 


This paragraph is only relevant for the AMD64/Intel 64 architectures. The 
arrows mark the beginning and the end of the text block. CJ 

This paragraph is only relevant for the architectures IBM Z and POWER. 
The arrows mark the beginning and the end of the text block. C) 


Chapter 1, “Example chapter”: A cross-reference to another chapter in this guide. 


Commands that must be run with root privileges. Often you can also prefix these com- 


mands with the sudo command to run them as non-privileged user. 


# command 
> sudo command 


Commands that can be run by non-privileged users. 
> command 


Notices 


W) Warning: Warning notice 
Vital information you must be aware of before proceeding. Warns you about security 
issues, potential loss of data, damage to hardware, or physical hazards. 
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@ Important: Important notice 


Important information you should be aware of before proceeding. 


J Note: Note notice 


Additional information, for example about differences in software versions. 


Q Tip: Tip notice 


Helpful information, like a guideline or a piece of practical advice. 


e Compact Notices 


& Additional information, for example about differences in software versions. 


Q Helpful information, like a guideline or a piece of practical advice. 
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1 Getting started 


SUSE—together with the cloud service providers—offers different products and 


plans to cater to a variety of use cases. Find out which works best for you. 


1.1 Products 


The following SUSE products are available for public cloud: 
e SUSE Linux Enterprise Server 
e SUSE Linux Enterprise High Performance Computing 
e SUSE Linux Enterprise Micro 
e SUSE Linux Enterprise Server for SAP Applications 
e SUSE Manager Server 
e SUSE Manager Proxy 


e openSUSE Leap 


($) To constantly adjust and improve SUSE's offerings, availability of products and versions 
is subject to change and may differ between cloud frameworks. 


1.2 Cloud service providers 
SUSE publishes product images in the following cloud service provider frameworks: 


e Amazon Web Services 
e Microsoft Azure 


e Google Cloud 


Q SUSE images are also available in other provider frameworks. Images in other providers 


are generally created and published by the provider. 
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Please note that this list may change. If you are interested in becoming a SUSE partner, 


visit https://www.suse.com/partners/cloud-service-providers/ 2 for more information. 


1.3 Plans 


SUSE—together with the cloud service providers—offers different plans to cater to a variety of 
use cases. While details differ depending on the cloud framework, usually there are two types 


of subscriptions. 


Pay as you go (PAYG) 
Pay as you go (PAYG) images are used to create on-demand instances. When an instance 
is first booted, it automatically registers with a local update server. Once the system finishes 
booting, it is ready to use. 
Create an instance when you need it and delete it when you are done. While in use, you 
have access to updates from SUSE through the automatically configured repositories. You 
only pay for the resources you use. Upcharges over the basic cloud prices may apply, 
depending on the image and framework. 
PAYG instances include support through the cloud provider which in turn is supported by 
SUSE. Microsoft Azure also offers a basic PAYG image that only includes updates. Instances 
created from this image are not eligible for support. 


Bring your own subscription (BYOS) 

Bring your own subscription (BYOS) images are useful if you already have a support 
contract with SUSE and want to move your workloads to the public cloud. An instance 
launched from a BYOS image is equivalent to a physical machine that just received a SUSE 
Linux Enterprise Server installation from the SLES installation image. After creation, use 
registercloudguest to register the instance with the SUSE-operated update infrastruc- 
ture in the cloud framework or use the SUSEConnect to register the system with SUSE 
Customer Center using the entitlements you already have. Connect your system to your 
own running RMT or SUSE Manager infrastructure in the same way you connect systems 
in your data center. 

BYOS instances make it easier to manage extensions such as LTSS or kernel live-patching. 


Extensions for PAYG instances can only be used in conjunction with SUSE Manager. 


In summary, if you already have a direct relationship with SUSE you generally want to start out 


with BYOS. You can still use PAYG for on-demand excess capacity. 
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TABLE 1.1: FEATURE COMPARISON 


Plan 


Customer relationship 
Pricing 


Registration 


Support 


Extended ESPOS! or 
LTSS? or support 


Extensions 


1 


ucts/#hpc) a 


Pay as you go (PAYG) 


with cloud provider 
per use 


with a local update server upon 


instance creation 


L1 and L2 support by cloud 
provider, L3 by SUSE 


only if included in image base 


product 


only with SUSE Manager 


Bring your own subscription 
(BYOS) 


with cloud provider and SUSE 
per instance and license 


with your RMT or SUSE Manag- 
er infrastructure or directly with 
the SUSE Customer Center 


Full support by SUSE directly 


available 


no limitations 


ESPOS: Extended Service Pack Overlay Support (https://www.suse.com/support/policy-prod- 


2 LTSS: Long-Term Service Pack Support (https://www.suse.com/products/long-term-service-pack- 


support/) a 


T Important: Switching plans 


Switching from PAYG to BYOS or vice-versa is only possible on Microsoft Azure through 


the Hybrid Benefit program. For all other cloud providers, you remain on the plan you 


initially selected for as long as the instance is running. The only way to switch plans is 


to start with the other image and rebuild your system. 


Customer Center 


Important: Do not register PAYG instances with the SUSE 


Registering PAYG instances with the SUSE Customer Center or your own RMT server will 


create conflicts that are not easily solved. Only register BYOS instances. PAYG instances 


are automatically registered against the correct update server. 
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1.4 Supported instance types 


To find out what types of instances are supported by each provider, refer to the SUSE Pub- 
lic Cloud Instance Support Matrix (https://www.suse.com/support/public-cloud-support/) 4. Select 


your SUSE Linux Enterprise product and your cloud provider to see a list of supported instance 


types. 


1.5 Support 


Regardless of the public cloud you use and the plan you choose, SUSE has you covered with 
support. Support is dependent on whether you "bring your own subscription" (BYOS) or you 
use SUSE Linux Enterprise "on-demand" (PAYG). For more information about BYOS and PAYG, 


refer to Section 7.3, “Plans”. 


e PAYG instances include support through the cloud provider which in turn is supported by 
SUSE. If you have a problem, always contact your cloud service provider for assistance. 


They provide 1st and 2nd level support, SUSE will provide level 3 if necessary. 


aD Important: Microsoft Azure basic images 


Microsoft Azure also offers a basic PAYG image that only includes updates. Instances 


created from this image are not eligible for support. 


e BYOS instances are supported by SUSE under the terms of your SUSE subscription. For an 
overview of SUSE's support subscriptions, refer to https://www.suse.com/support/ 7. 


For more information, refer to the SUSE Technical Support Policy (https://www.suse.com/sup- 
port/policy/) 7 and the support statement for SUSE Linux Enterprise in Appendix A, Support. 


For information on how to contact the SUSE support team and report problems, refer to the 
SUSE Technical Support Guide (https://www.suse.com/support/handbook/) a. 
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2 Public cloud images 


SUSE offers a variety of different product images for different use cases in partner 


cloud provider frameworks. Learn how to find the image that meets your use case. 


2.1 Image lifecycle 


All SUSE public cloud images follow a refresh cycle up to the point of deletion. The refresh cycle 
follows a 'rolling' three month time frame. What this means: 


e Images in an active state are refreshed every three months. Replaced images are moved 
to the deprecated state. 


e If a critical security vulnerability occurs, images in active and inactive states are up- 
dated as soon as possible once the fix for the affected code is available. For images in 
active state the three month timer restarts with this forced replacement. 

SUSE is committed to address all security vulnerabilities disclosed through the Common 
Vulnerabilities and Exposures process (CVE) and a score of 9.0 or greater in the 
Common Vulnerability Scoring System (CVSS). For more information about the effects 
and rating of CVEs, refer to the SUSE CVE database (https://www.suse.com/security/cve/) 7. 


The life cycle of an image consists of four different states: 
SUSE PUBLIC CLOUD IMAGE STATES 
Active 


Active images are fully supported and refreshed at least every three months. The duration 
lasts until the image is replaced by a newer image version. 


Inactive 
Inactive images are supported following the rules of LTSS or ESPOS and will only get 
refreshed for critical security updates. The duration term is defined by the product. For 


more information, refer to https://www.suse.com/de-de/support/policy-products/#cloud 2 


Deprecated 
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Deprecated images may no longer be supported. The status of support depends on the 
support status of the product in the image. Deprecated images are not made available in 
regions added after an image has been set to deprecated and images do no longer get 
refreshed. At the end of the six month deprecation period, images are subject to deletion. 


It is strongly discouraged to use deprecated images to create new instances. 


Deleted 


Deleted images are no longer supported or available for instance creation. 


OD Important: Only use active images for new instances 
It is strongly recommended to only use active images to launch instances for new de- 


ployments. 


2.2 Naming scheme 


Names for SUSE's public cloud images consist of multiple parts that contain information about 
the product, its version, a time stamp indicating the release date of the image, and more. The 


general naming scheme for SUSE's public cloud images is as follows: 
PRODUCT - FLAVOR - vVERSION - VIRTUALIZATION - STORAGE - ARCHITECTURE - GEN 
Not all components of this naming scheme are used in all frameworks. 


SUSE PUBLIC CLOUD IMAGE NAMING SCHEME 


PRODUCT 
Abbreviated name of the product in lower case letters, e.g. suse-sles-15-sp3 or suse- 
manager-4-1-proxy. This part may also be “search-optimized” per cloud framework. For 
example the prefix suse- helps when searching for SUSE in the general catalog in Amazon 


Web Services. 


FLAVOR 
Images can have different flavors such as chost or byos. If it is the default image of 
a product, this part will be omitted. Multiple FLAVOR attributes may be combined in an 
image name. For example sles-15-sp3-chost-byos is an image build based on SUSE 
Linux Enterprise Server 15 SP3 build as a container host using a BYOS (Bring Your Own 
Subscription) billing model. Images without byos in the name are set up the image is set 
up for PAYG (Pay As You Go) billing. For more information about the different billing 


models, refer to Section 1.3, “Plans”. 
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SUSE LINUX ENTERPRISE FLAVORS 
e byos: Bring your own subscription (BYOS) image 
e chost: Minimal container host image 
e hardened: Pre-hardened images, see Section 2.5, “Hardened Images” 
e hpc: SUSE Linux Enterprise High Performance Computing image 
e sap: SUSE Linux Enterprise Server for SAP Applications image 
e sapcal: SAP Cloud Application Library image 
Not all flavors are available for all could frameworks; some are provider-specific. 
AMAZON WEB SERVICES FLAVORS 
e ecs: Amazon Elastic Container Service image 
MICROSOFT AZURE FLAVORS 
e basic: PAYG image that only includes updates but no support 


e standard: Fully supported PAYG image 


VERSION 
Upload date of the image in the format vYYYYMMDD (ISO 8601). 


VIRTUALIZATION (AWS-only) 
SUSE no longer supports or publishes para-virtualized images. The virtualization type was 
encoded as pv (para-virtualized) or hvm (hardware-assisted virtual machine). The hvm 
part of the image name has been retained in an effort to not break backward compatibility. 


STORAGE (AWS-only) 
SUSE no longer publishes images that are based on hard disk (magnetic) backed storage. 
This used to be encoded as mag. All published images are backed by SSD. The ssd part 


of the image name has been retained in an effort to not break backward compatibility. 


ARCHITECTURE 
Either x86 64 or arm64. SUSE no longer supports or publishes 32 bit x86 images. Images 


with the i386 identifier are visible in Public Cloud Information Tracker data. 


GENERATION (Microsoft Azure-only) 
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appended as gen2 for 2nd Generation VMs. 


2.3 Public Cloud Information Tracker 


The Public Cloud Information Tracker (PINT) provides information about the images SUSE pub- 
lishes and servers that are part of the SUSE operated update infrastructure. PINT is available 
at https://pint.suse.com/.” and provided as an API and command-line tool with the python3- 


susepubliccloudinfo package from the Public Cloud Module repository. 


SUSE 


PINT - The Public Cloud Information Tracker 


This service provides data about the images and servers SUSE publishes in supported public cloud frameworks. 


v Alibaba v Images v active o v Al 


Show v 10 entries Sark, 


State# — Replacement $ ReplacementID$ PublishedDate# Deprecated Date$ Region + $  DeletedOn# Changelog + 


sles-15- 


sp3-chost- ap- 
nate active 20210729 SE FREDE 


v20210729 


m-6wegydweuwdmnOprxyul Changelog 


sles-15- 
PERD active 20210729 ap-south-1  m-a2dgiu2p3rc3wxux384f Changelog 
v20210729 
sles-15- 
sp3-chost- ap- i 
byos- active 20210729 Southeast m-t4nfil 3rgw62w26dq4f1 Changelog 
v20210729 

sles-15- 

sp3-chost- ap- 

peta active 20210729 D 
v20210729 


m-pOw9dpnbhki2dvra4tfc Changelog 


sles-15- 
sp3-chost- 
byos- 

v20210729 


active 20210729 m-8ps7jjb6wd3ezmgshgbb Changelog 


ap- 
southeast-3 


sles-15- 


sp3-chost- 


active 20210729 mk1a4l4ixs6onxftt7vmb Changelog 


ap- 
byos- southeast-5 
v20210729 
sles-15- 
ER active 20210729 cnbeijing  m-2zecudc25w2cowhjt554 Changelog 
20210729 
sles-15- 
sp3-chost- 
byos- 
v20210729 


active 20210729 cn-chengdu —m-2vec7fmhvadrsiSn48u7 Changelog 


sles-15- 
sp3-chost | active 20210729 SE 

pee guangzhou 
20210729 


m-7xv490c8v1cOmem7mfhs Changelog 


cn 
nase active 20210729 hangzhou 


20210729 


m-bp1 gua7rS8h8ydzgh3ik Changelog 


Showing 1 to 10 of 24 entries evious 1 2 3 Next 


FIGURE 2.1: OVERVIEW OF SUSE PUBLIC CLOUD INFORMATION TRACKER (PINT) 


Use the drop-down boxes to view images, servers, or both and filter by cloud framework, state, 


and region. You can also search for strings and adjust the number of results shown per page. 
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2.3.1 Images view 


The following columns are shown in the Images view. Please note columns depend on the the 
cloud frameworks. 


COLUMNS IN THE Images VIEW 


Name 
Name of the image. For more information about the image naming scheme, refer to Sec- 


tion 2.2, “Naming scheme”. 


State 
State of the image. Can be one of active, inactive, deprecated, or deleted. For 


more information, refer to Section 2.1, “Image lifecycle”. 


Replacement 


Name of the image that replaces another. 


Replacement ID 
ID of the image that replaces another. Only shown for Amazon, Oracle, and Alibaba; images 


on Google and Microsoft do not have IDs. 


Published Date 
Publication date of the image. Displayed in the format YYYYMMDD (ISO 8601). 


Deprecated Date 
Date the image was deprecated by a newer one. Displayed in the format YYYYMMDD (ISO 
8601). Only shown for deprecated or deleted images. 


Project 
Project of the image. Projects are used to organize Google Cloud Platform resources. Only 
shown for Google Cloud Platform 


Region 


Region of the image. 


Environment 


Environment of the image. Only shown for Microsoft Azure. 


Unique identifier of the image. While the Name of an image is the same across different 


regions, the ID is unique. 
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URN 
Uniform Resource Name of an image. While the Name of an image is different across the 
environments, the URN is the same. Only shown for Microsoft Azure. 


Deleted on 
Date the image was deleted in the format YYYYMMDD (ISO 8601). Only shown for deleted 


images. 


Changelog 
Link to a detailed changelog that lists image configuration changes, CVE fixes, package ver- 
sion changes, and package changelogs. For more information, refer to Section 2.4, “Change 
information” 
Image changelogs are only available for images that replace others. For initial images 
of new product versions, refer to the product's release notes (https://www.suse.com/re- 


leasenotes) 7. 


2.3.2 Servers view 


The following columns are displayed in the Servers view: 


COLUMNS IN THE Servers VIEW 


Name 
Host name of the server. Region servers do not have host names. Host names are not DNS 
resolvable. 


IP address of the server. 


Region 
Region of the server. For optimal performance SUSE provides servers in most regions of 
a cloud framework. 


Type 
One of regionserver or smt. In every framework where SUSE operates an update in- 
frastructure, the regionserver systems are randomly distributed across regions and the 


smt servers are available in most regions. Every region has smt servers assigned. 
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2.4 Change information 


Whenever a new image gets released, you can review changes compared to the previously re- 
leased image. Search for an image in PINT (https://pint.suse.com/) 2 and click on its entry in the 


Changelog column. 


Image change information is divided into different categories: 


Image configuration changes 
This category describes changes in the image setup; for example, if a new service was 


enabled, kernel parameters were changed, or if packages were added or removed. 


CVE fixes 
This category lists security fixes in the image. Entries are cross linked to the SUSE CVE 
database (https://www.suse.com/security/cve/) 4. For more information, refer to Section 2.1, 


“Image lifecycle”. 


Package version changes 
This category lists all packages that had version changes compared to the previous image 


and the version in that image. 


Changelog information 


This category shows a concatenated changelog of all packages that had changes. 


J Note: Change information for new product versions 


Please note that that image change information is only available for updated images, 


meaning for images that replace previous images of the same product version. 


For initial images of new product versions, refer to the product's release notes at https:// 


www.suse.com/releasenotes ^. 


To allow for automatic retrieval of image change information, all URLs follow the schema: 


https://publiccloudimagechangeinfo.suse.com/FRAMEWORK/IMAGE/CHANGES .html 
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e FRAMEWORK is the cloud framework as used in the pint command-line tool; i.e. one of 


alibaba, amazon, google, microsoft, or oracle. 


e IMAGE is the name of the image as shown by PINT, e.g. suse-sles-15-sp3-byos- 
v20220127-hvm-ssd-x86 64. 


e CHANGES is the category of the changes, i. e. one of cve fixes, image changes, pack- 
age _changelogs, or package version changes. Do not forget the .html extension to 
complete the URL. 


2.5 Hardened Images 


To improve overall security, SUSE provides hardened images of some products. The images 
are hardened using OpenSCAP, a collection of open source tools that implement the Security 
Content Automation Protocol (SCAP) maintained by the National Institute of Standards 
and Technology (NIST). OpenSCAP supports automated configuration, vulnerability and patch 
checking, technical control compliance activities, and security measurement. 

All images are pre-hardened to the extent they can safely be hardened without causing prob- 
lems in public cloud frameworks. Certain rules can only be applied after instance creation, for 


example: 


e Rules that require having passwords set up. Passwords would have to be public if config- 
ured during image build. This would defeat the purpose of a secret password. 


Rules that affect the network configuration. Networking is set up during instance creation, 


therefore it is not possible to limit access during image build. 


Rules for custom partitioning. SUSE's public cloud images are partitioned to meet the re- 
quirements of the framework in which they are released. If your system needs to meet 
standards that require separate file systems for given directories, we recommend that you 
build your own images and use LVM or move those directories onto attached disks to get 


the strictest data separation possible. 


Rules to remove packages. SUSE's public cloud images cater a wide range of use cases. 
Even if the number of packages is limited, it is impossible to determine what packages 


an instance requires. 
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After instance creation, users can use the installed openscap packages to complete the image 


hardening process using any of the following profiles: 


Standard (standard.profile  (https://github.com/ComplianceAsCode/content/blob/mas- 


ter/products/sle15/profiles/standard.profile) 7) 


Basic OpenSCAP system security standard. 


CIS Server Level 2 (cis.profile (https://github.com/ComplianceAsCode/content/blob/mas- 


ter/products/sle15/profiles/cis.profile) 7) 


The Center for Internet Security Server Level 2 profile is considered to be “de- 
fense in depth” and is intended for environments where security is paramount. The recom- 
mendations associated with this profile can have an adverse effect on your organization if 
not implemented appropriately or without due care. For more information, refer to https:// 


www.cisecurity.org 7. 


Department of Defense STIG (stig.profile (https://github.com/ComplianceAsCode/con- 


tent/blob/master/products/sle15/profiles/stig.profile) 7) 


The Defense Information Systems Agency publishes Security Technical Implementa- 
tion Guides (STIGs) for the Department of Defense. The STIG profile replaces the pre- 
vious CIS Level 3 profile and provides all recommendations that are STIG specific. Overlap 
of recommendations from other profiles, i.e. CIS Level 1 and Level 2, are present in the 


STIG profile as applicable. For more information, refer to https://public.cyber.mil/stigs/ 7. 


HIPAA Security Rule (hipaa.profile (https://github.com/ComplianceAsCode/content/blob/ 


master/products/sle15/profiles/hipaa.profile) 2) 


In response to the Health Insurance Portability and Accountability Act (HIPAA) of 1996, the 
U.S. Department of Health and Human Services developed Security Standards for the 
Protection of Electronic Protected Health Information, commonly known as 
the HIPAA Security Rule. It establishes national standards to protect individuals’ elec- 
tronic personal health information (e-PHI) that is created, received, used, or maintained 
by a covered entity. For more information, refer to https://www.hhs.gov/hipaa/for-profes- 


sionals/security/index.html 7. 


Payment Card Industry Data Security Standard (pci-dss.profile (https://github.com/Compli- 


anceAsCode/content/blob/master/products/sle15/profiles/pci-dss.profile) 7) 
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The Payment Card Industry Data Security Standard (PCI DSS) isa set of require- 
ments to guide merchants to protect cardholder data. It is maintained by the PCI Securi- 
ty Standards Council (SSC) that was founded by all five major credit card brands Visa, 
MasterCard, American Express, Discover, and JCB. For more information, refer to https:// 


www.pcisecuritystandards.org/document_library 2. 


All profile files are available in the ComplianceAsCode (https://github.com/ComplianceAs- 
Code/content/tree/master/products/sle15/profiles) 4 repository. 

For a complete list of rules that have been applied during pre-hardening, refer to pcs- 
hardening.profile (https://github.com/ComplianceAsCode/content/blob/master/products/sle15/ 
profiles/pcs-hardening.profile) 7. This profile is a combination of the STIG and CIS profiles mi- 


nus rules that can only be applied after instance creation. 


© Important: Recommended profiles 


SUSE recommends using either the CIS or the STIG profile. You can use other profiles 


at your own discretion. 


To evaluate an instance, you can run: 


> sudo oscap xccdf eval \ 

--profile stig@ \ 

--results /tmp/results.xml@ \ 

--report /tmp/report.html® \ 

--Stig-viewer /tmp/stigviewer.xml@ \ 
/usr/share/xml/scap/ssg/content/ssg-slel5-ds-1.2.xml@ 


Specifies the profile to use, e.g. stig or cis. 
Saves the results of the evaluation to /tmp/results.xml 


Generates a HTML report called /tmp/report.html in addition to the results in XML. 


600 8 6 


Saves the results to /tmp/stigviewer.xml, which can be imported into the DISA STIG 
Viewer. Refer to https://pub-lic.cyber.mil/stigs/srg-stig-tools/ 7 for information about DISA 
STIG Viewer. 
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Scap Security Guide (SSG) policy file in the datastream (ds) format. Make sure to 
select the correct version for your instance. To list all available policies, run: 


> ls -1 /usr/share/xml/scap/ssg/content/ssg-*-ds.xml. 
/usr/share/xml/scap/ssg/content/ssg-opensuse-ds. xml 
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/usr/share/xml/scap/ssg/content/ssg-slel2-ds.xml 
/usr/share/xml/scap/ssg/content/ssg-sle15-ds.xml 


For more information about a particular policy, run oscap info on the file. 
The evaluation process usually takes a few minutes, depending on the number of selected rules. 
To remediate an instance, add the -- remediate parameter: 
> sudo oscap xccdf eval --remediate\ 
--profile stig \ 
--results /tmp/results.xml \ 
--report /tmp/report.html \ 


--stig-viewer /tmp/stigviewer.xml \ 
/usr/share/xml/scap/ssg/content/ssg-slel5-ds-1.2.xml 


For information on how to harden your system with OpenSCAP, refer to the SCAP Security Guide 


(https://www.open-scap.org/security-policies/scap-security-guide/) a. 
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3 Managing cloud guests 


SUSE Linux Enterprise in public clouds is managed almost like on bare metal or in 
virtual environments. Learn about what is different in the cloud. 
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A Support 


Find the support statement for SUSE Linux Enterprise and general information about technology 


previews below. For details about the product lifecycle, see https://www.suse.com/lifecycle 2. 


If you are entitled to support, find details on how to collect information for a support ticket at 


https://documentation.suse.com/sles-15/html/SLES-all/cha-adm-support.html 7. 


A.1 Support statement for SUSE Linux Enterprise 


To receive support, you need an appropriate subscription with SUSE. To view the specific support 


offerings available to you, go to https://www.suse.com/support/ 7 and select your product. 


The support levels are defined as follows: 


L1 
Problem determination, which means technical support designed to provide compatibility 
information, usage support, ongoing maintenance, information gathering and basic trou- 
bleshooting using available documentation. 

L2 
Problem isolation, which means technical support designed to analyze data, reproduce 
customer problems, isolate problem area and provide a resolution for problems not re- 
solved by Level 1 or prepare for Level 3. 

L3 


Problem resolution, which means technical support designed to resolve problems by en- 
gaging engineering to resolve product defects which have been identified by Level 2 sup- 
port. 


For contracted customers and partners, SUSE Linux Enterprise is delivered with L3 support for 
all packages, except for the following: 


e Technology previews. 
e Sound, graphics, fonts, and artwork. 


e Packages that require an additional customer contract. 
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Some packages shipped as part of the module Workstation Extension are L2-supported only. 


Packages with names ending in -devel (containing header files and similar developer 
resources) will only be supported together with their main packages. 


SUSE will only support the usage of original packages. That is, packages that are unchanged 


and not recompiled. 


A.2 Technology previews 


Technology previews are packages, stacks, or features delivered by SUSE to provide glimpses 


into upcoming innovations. Technology previews are included for your convenience to give you 


a chance to test new technologies within your environment. We would appreciate your feedback! 


If you test a technology preview, please contact your SUSE representative and let them know 


about your experience and use cases. Your input is helpful for future development. 


Technology previews have the following limitations: 


Technology previews are still in development. Therefore, they may be functionally incom- 
plete, unstable, or in other ways not suitable for production use. 


Technology previews are not supported. 
Technology previews may only be available for specific hardware architectures. 


Details and functionality of technology previews are subject to change. As a result, up- 
grading to subsequent releases of a technology preview may be impossible and require a 
fresh installation. 


SUSE may discover that a preview does not meet customer or market needs, or does not 
comply with enterprise standards. Technology previews can be removed from a product 
at any time. SUSE does not commit to providing a supported version of such technologies 
in the future. 


For an overview of technology previews shipped with your product, see the release notes at 


https://www.suse.com/releasenotes/x86_64/public-cloud a. 
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B GNU licenses 


This appendix contains the GNU Free Docu- 


mentation License version 1.2. 


GNU Free Documentation License 


Copyright (C) 2000, 2001, 2002 Free Software Foundation, Inc. 51 Franklin St, Fifth Floor, 
Boston, MA 02110-1301 USA. Everyone is permitted to copy and distribute verbatim copies 


of this license document, but changing it is not allowed. 


0. PREAMBLE 


The purpose of this License is to make a manual, textbook, or other functional and useful 
document "free" in the sense of freedom: to assure everyone the effective freedom to copy 
and redistribute it, with or without modifying it, either commercially or non-commercially. 
Secondarily, this License preserves for the author and publisher a way to get credit for their 


work, while not being considered responsible for modifications made by others. 


This License is a kind of "copyleft", which means that derivative works of the document must 
themselves be free in the same sense. It complements the GNU General Public License, which 


is a copyleft license designed for free software. 


We have designed this License to use it for manuals for free software, because free software 
needs free documentation: a free program should come with manuals providing the same 
freedoms that the software does. But this License is not limited to software manuals; it can 
be used for any textual work, regardless of subject matter or whether it is published as a 
printed book. We recommend this License principally for works whose purpose is instruction 


or reference. 


1. APPLICABILITY AND DEFINITIONS 


This License applies to any manual or other work, in any medium, that contains a notice placed 
by the copyright holder saying it can be distributed under the terms of this License. Such a 
notice grants a world-wide, royalty-free license, unlimited in duration, to use that work under 
the conditions stated herein. The "Document", below, refers to any such manual or work. Any 
member of the public is a licensee, and is addressed as "you". You accept the license if you 


copy, modify or distribute the work in a way requiring permission under copyright law. 


A "Modified Version" of the Document means any work containing the Document or a portion 


of it, either copied verbatim, or with modifications and/or translated into another language. 


A "Secondary Section" is a named appendix or a front-matter section of the Document that 
deals exclusively with the relationship of the publishers or authors of the Document to the 
Document's overall subject (or to related matters) and contains nothing that could fall directly 
within that overall subject. (Thus, if the Document is in part a textbook of mathematics, a 
Secondary Section may not explain any mathematics.) The relationship could be a matter 
of historical connection with the subject or with related matters, or of legal, commercial, 
philosophical, ethical or political position regarding them. 

The "Invariant Sections" are certain Secondary Sections whose titles are designated, as being 
those of Invariant Sections, in the notice that says that the Document is released under this 
License. If a section does not fit the above definition of Secondary then it is not allowed to be 
designated as Invariant. The Document may contain zero Invariant Sections. If the Document 
does not identify any Invariant Sections then there are none. 

The "Cover Texts" are certain short passages of text that are listed, as Front-Cover Texts or 
Back-Cover Texts, in the notice that says that the Document is released under this License. A 
Front-Cover Text may be at most 5 words, and a Back-Cover Text may be at most 25 words. 
A "Transparent" copy of the Document means a machine-readable copy, represented in a for- 
mat whose specification is available to the general public, that is suitable for revising the doc- 
ument straightforwardly with generic text editors or (for images composed of pixels) generic 
paint programs or (for drawings) some widely available drawing editor, and that is suitable 
for input to text formatters or for automatic translation to a variety of formats suitable for 
input to text formatters. A copy made in an otherwise Transparent file format whose markup, 
or absence of markup, has been arranged to thwart or discourage subsequent modification 
by readers is not Transparent. An image format is not Transparent if used for any substantial 
amount of text. A copy that is not "Transparent" is called "Opaque". 

Examples of suitable formats for Transparent copies include plain ASCII without markup, Tex- 
info input format, LaTeX input format, SGML or XML using a publicly available DTD, and stan- 
dard-conforming simple HTML, PostScript or PDF designed for human modification. Examples 
of transparent image formats include PNG, XCF and JPG. Opaque formats include proprietary 


19 


formats that can be read and edited only by proprietary word processors, SGML or XML for 
which the DTD and/or processing tools are not generally available, and the machine-generat- 


ed HTML, PostScript or PDF produced by some word processors for output purposes only. 


The "Title Page" means, for a printed book, the title page itself, plus such following pages as 
are needed to hold, legibly, the material this License requires to appear in the title page. For 
works in formats which do not have any title page as such, "Title Page" means the text near the 


most prominent appearance of the work's title, preceding the beginning of the body of the text. 


A section "Entitled XYZ" means a named subunit of the Document whose title either is precisely 
XYZ or contains XYZ in parentheses following text that translates XYZ in another language. 
(Here XYZ stands for a specific section name mentioned below, such as "Acknowledgements", 
"Dedications", "Endorsements", or "History".) To "Preserve the Title" of such a section when 
you modify the Document means that it remains a section "Entitled XYZ" according to this 
definition. 

The Document may include Warranty Disclaimers next to the notice which states that this 
License applies to the Document. These Warranty Disclaimers are considered to be included 
by reference in this License, but only as regards disclaiming warranties: any other implication 
that these Warranty Disclaimers may have is void and has no effect on the meaning of this 


License. 


2. VERBATIM COPYING 


You may copy and distribute the Document in any medium, either commercially or non- 
commercially, provided that this License, the copyright notices, and the license notice saying 
this License applies to the Document are reproduced in all copies, and that you add no other 
conditions whatsoever to those of this License. You may not use technical measures to obstruct 
or control the reading or further copying of the copies you make or distribute. However, you 
may accept compensation in exchange for copies. If you distribute a large enough number of 


copies you must also follow the conditions in section 3. 


You may also lend copies, under the same conditions stated above, and you may publicly 


display copies. 


3. COPYING IN QUANTITY 


If you publish printed copies (or copies in media that commonly have printed covers) of the 
Document, numbering more than 100, and the Documents license notice requires Cover Texts, 
you must enclose the copies in covers that carry, clearly and legibly, all these Cover Texts: 
Front-Cover Texts on the front cover, and Back-Cover Texts on the back cover. Both covers 
must also clearly and legibly identify you as the publisher of these copies. The front cover 
must present the full title with all words of the title equally prominent and visible. You may 
add other material on the covers in addition. Copying with changes limited to the covers, as 
long as they preserve the title of the Document and satisfy these conditions, can be treated 
as verbatim copying in other respects. 

If the required texts for either cover are too voluminous to fit legibly, you should put the 
first ones listed (as many as fit reasonably) on the actual cover, and continue the rest onto 
adjacent pages. 

If you publish or distribute Opaque copies of the Document numbering more than 100, you 
must either include a machine-readable Transparent copy along with each Opaque copy, or 
state in or with each Opaque copy a computer-network location from which the general net- 
work-using public has access to download using public-standard network protocols a complete 
Transparent copy of the Document, free of added material. If you use the latter option, you 
must take reasonably prudent steps, when you begin distribution of Opaque copies in quanti- 
ty, to ensure that this Transparent copy will remain thus accessible at the stated location until 
at least one year after the last time you distribute an Opaque copy (directly or through your 
agents or retailers) of that edition to the public. 

It is requested, but not required, that you contact the authors of the Document well before 
redistributing any large number of copies, to give them a chance to provide you with an 


updated version of the Document. 
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4. MODIFICATIONS 


You may copy and distribute a Modified Version of the Document under the conditions of 
sections 2 and 3 above, provided that you release the Modified Version under precisely this 
License, with the Modified Version filling the role of the Document, thus licensing distribution 
and modification of the Modified Version to whoever possesses a copy of it. In addition, you 


must do these things in the Modified Version: 


A. Use in the Title Page (and on the covers, if any) a title distinct from that of the 
Document, and from those of previous versions (which should, if there were any, 
be listed in the History section of the Document). You may use the same title as a 


previous version if the original publisher of that version gives permission. 


B. List on the Title Page, as authors, one or more persons or entities responsible for 
authorship of the modifications in the Modified Version, together with at least five 
of the principal authors of the Document (all of its principal authors, if it has fewer 


than five), unless they release you from this requirement. 


C. State on the Title page the name of the publisher of the Modified Version, as the 
publisher. 


D. Preserve all the copyright notices of the Document. 


E. Add an appropriate copyright notice for your modifications adjacent to the other 


copyright notices. 


F. Include, immediately after the copyright notices, a license notice giving the public 
permission to use the Modified Version under the terms of this License, in the form 


shown in the Addendum below. 


G. Preserve in that license notice the full lists of Invariant Sections and required Cover 


Texts given in the Document's license notice. 
H. Include an unaltered copy of this License. 


I. Preserve the section Entitled "History", Preserve its Title, and add to it an item 
stating at least the title, year, new authors, and publisher of the Modified Version 
as given on the Title Page. If there is no section Entitled "History" in the Document, 
create one stating the title, year, authors, and publisher of the Document as given 
on its Title Page, then add an item describing the Modified Version as stated in 


the previous sentence. 


J. Preserve the network location, if any, given in the Document for public access to 
a Transparent copy of the Document, and likewise the network locations given in 
the Document for previous versions it was based on. These may be placed in the 
"History" section. You may omit a network location for a work that was published 
at least four years before the Document itself, or if the original publisher of the 


version it refers to gives permission. 


K. For any section Entitled "Acknowledgements" or "Dedications", Preserve the Title 
of the section, and preserve in the section all the substance and tone of each of the 


contributor acknowledgements and/or dedications given therein. 


L. Preserve all the Invariant Sections of the Document, unaltered in their text and 
in their titles. Section numbers or the equivalent are not considered part of the 


section titles. 


M. Delete any section Entitled "Endorsements". Such a section may not be included 
in the Modified Version. 


N. Do not retitle any existing section to be Entitled "Endorsements" or to conflict in 


title with any Invariant Section. 


O. Preserve any Warranty Disclaimers. 


If the Modified Version includes new front-matter sections or appendices that qualify as Se- 
condary Sections and contain no material copied from the Document, you may at your option 
designate some or all of these sections as invariant. To do this, add their titles to the list of 
Invariant Sections in the Modified Version's license notice. These titles must be distinct from 
any other section titles. 

You may add a section Entitled "Endorsements", provided it contains nothing but endorse- 
ments of your Modified Version by various parties--for example, statements of peer review 
or that the text has been approved by an organization as the authoritative definition of a 
standard. 

You may add a passage of up to five words as a Front-Cover Text, and a passage of up to 25 
words as a Back-Cover Text, to the end of the list of Cover Texts in the Modified Version. Only 
one passage of Front-Cover Text and one of Back-Cover Text may be added by (or through 
arrangements made by) any one entity. If the Document already includes a cover text for the 
same cover, previously added by you or by arrangement made by the same entity you are 
acting on behalf of, you may not add another; but you may replace the old one, on explicit 


permission from the previous publisher that added the old one. 
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The author(s) and publisher(s) of the Document do not by this License give permission to use 


their names for publicity for or to assert or imply endorsement of any Modified Version. 


5. COMBINING DOCUMENTS 


You may combine the Document with other documents released under this License, under 
the terms defined in section 4 above for modified versions, provided that you include in the 
combination all of the Invariant Sections of all of the original documents, unmodified, and 
list them all as Invariant Sections of your combined work in its license notice, and that you 
preserve all their Warranty Disclaimers. 

The combined work need only contain one copy of this License, and multiple identical Invari- 
ant Sections may be replaced with a single copy. If there are multiple Invariant Sections with 
the same name but different contents, make the title of each such section unique by adding 
at the end of it, in parentheses, the name of the original author or publisher of that section if 
known, or else a unique number. Make the same adjustment to the section titles in the list of 
Invariant Sections in the license notice of the combined work. 

In the combination, you must combine any sections Entitled "History" in the various original 
documents, forming one section Entitled "History"; likewise combine any sections Entitled 
"Acknowledgements", and any sections Entitled "Dedications". You must delete all sections 


Entitled "Endorsements". 


6. COLLECTIONS OF DOCUMENTS 


You may make a collection consisting of the Document and other documents released under 
this License, and replace the individual copies of this License in the various documents with a 
single copy that is included in the collection, provided that you follow the rules of this License 
for verbatim copying of each of the documents in all other respects. 

You may extract a single document from such a collection, and distribute it individually under 
this License, provided you insert a copy of this License into the extracted document, and follow 


this License in all other respects regarding verbatim copying of that document. 


7. AGGREGATION WITH INDEPENDENT WORKS 


A compilation of the Document or its derivatives with other separate and independent docu- 
ments or works, in or on a volume of a storage or distribution medium, is called an "aggregate" 
if the copyright resulting from the compilation is not used to limit the legal rights of the com- 
pilation's users beyond what the individual works permit. When the Document is included in 
an aggregate, this License does not apply to the other works in the aggregate which are not 
themselves derivative works of the Document. 

If the Cover Text requirement of section 3 is applicable to these copies of the Document, then 
if the Document is less than one half of the entire aggregate, the Document's Cover Texts 
may be placed on covers that bracket the Document within the aggregate, or the electronic 
equivalent of covers if the Document is in electronic form. Otherwise they must appear on 


printed covers that bracket the whole aggregate. 


8. TRANSLATION 


Translation is considered a kind of modification, so you may distribute translations of the 
Document under the terms of section 4. Replacing Invariant Sections with translations requires 
special permission from their copyright holders, but you may include translations of some 
or all Invariant Sections in addition to the original versions of these Invariant Sections. You 
may include a translation of this License, and all the license notices in the Document, and 
any Warranty Disclaimers, provided that you also include the original English version of this 
License and the original versions of those notices and disclaimers. In case of a disagreement 
between the translation and the original version of this License or a notice or disclaimer, the 
original version will prevail. 

If a section in the Document is Entitled "Acknowledgements", "Dedications", or "History", the 
requirement (section 4) to Preserve its Title (section 1) will typically require changing the 
actual title. 


9. TERMINATION 


You may not copy, modify, sublicense, or distribute the Document except as expressly pro- 
vided for under this License. Any other attempt to copy, modify, sublicense or distribute the 
Document is void, and will automatically terminate your rights under this License. However, 
parties who have received copies, or rights, from you under this License will not have their 


licenses terminated so long as such parties remain in full compliance. 
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10. FUTURE REVISIONS OF THIS LICENSE 


The Free Software Foundation may publish new, revised versions of the GNU Free Documen- 
tation License from time to time. Such new versions will be similar in spirit to the present 
version, but may differ in detail to address new problems or concerns. See http://www.gnu.org/ 
copyleft/.a. 

Each version of the License is given a distinguishing version number. If the Document specifies 
that a particular numbered version of this License "or any later version" applies to it, you have 
the option of following the terms and conditions either of that specified version or of any 
later version that has been published (not as a draft) by the Free Software Foundation. If the 
Document does not specify a version number of this License, you may choose any version ever 
published (not as a draft) by the Free Software Foundation. 


ADDENDUM: How to use this License for your documents 


Copyright (c) YEAR YOUR NAME. 

Permission is granted to copy, distribute 
and/or modify this document 

under the terms of the GNU Free 
Documentation License, Version 1.2 

or any later version published by the Free 
Software Foundation; 

with no Invariant Sections, no Front-Cover 
Texts, and no Back-Cover Texts. 

A copy of the license is included in the 
section entitled “GNU 

Free Documentation License”. 


If you have Invariant Sections, Front-Cover Texts and Back-Cover Texts, replace the 


“with...Texts.” line with this: 


with the Invariant Sections being LIST 
THEIR TITLES, with the 

Front-Cover Texts being LIST, and with the 
Back-Cover Texts being LIST. 


If you have Invariant Sections without Cover Texts, or some other combination of the three, 
merge those two alternatives to suit the situation. 

If your document contains nontrivial examples of program code, we recommend releasing 
these examples in parallel under your choice of free software license, such as the GNU General 


Public License, to permit their use in free software. 
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